non-query socket errors coming to port 53
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Fri May 18 00:43:32 UTC 2001
You can get this error if, as you are, using a query-source
bound to port 53 and are not listening on *all* interfaces.
This could be of listen-on restricting the interfaces or
a interface was brought up since the last interface scan
or when named was started (named -u uid).
The usuall way to fix this is to use a different fixed port in
query-source and adjust your firefall.
Mark
>
> Hi...
>
> Jim Reid wrote:
> >
> > >>>>> "susan" == susan hall <suehall at prodigy.net> writes:
> >
> > susan> 17-May-2001 13:21:17.922 refused query on non-query socket
> > susan> from [64.20.240.240].1554
> >
> > susan> But all the servers here running named send queries on port
> > susan> 53, without these errors. All are configured with the
> > susan> query-source address set.
> >
>
>
> > Are you sure about that? What's in the name server logs at start-up or
> > after a reload?
>
> In my startup messages is:
>
> 17-May-2001 11:17:16.960 default: info: Forwarding source address is
> [0.0.0.0].53
>
> The named.conf statement is: query-source address * port 53;
>
> How about running lsof on named to check what files
> > and sockets it is actually using?
>
> All TCP and UDP sockets shown up by lsof are on port: domain, as in:
>
> named 7602 root 28u IPv4 0x7033e500 0t0 UDP
> xxx1.yyy.com:domain
> named 7602 root 29u IPv4 0x7033dedc 0t0 TCP
> xxx2.yyy.com:domain (LISTEN)
> >
> > The above error message implies that the name server is not using port
> > 53 when it makes outgoing queries. It's complaining because it's
> > getting queries on the socket (port number) it is using. The default
> > behaviour in BIND[89] is to use a random unprivileged port number when
> > querying other name servers. tese queries are *sent* to port 53
> > obviously. Nothing should be sending data to that outbound query port
> > number. So it looks like you haven't set up query-source
> > correctly. And there's probably something doing a port scan of your
> > name server. When it sends something to the port number that the name
> > server is using for its outbound queries, the server logs this
> > message, believing the data it got was a query, whether it was a DNS
> > query or not.
>
> Here's a security message logged:
>
> 17-May-2001 13:21:17.922 refused query on non-query socket from
> [64.20.240.240].1554
>
> Here's the iptraced packet that caused it:
>
> ====( 69 bytes received on interface en0 )==== 13:21:17.916016837
> ETHERNET packet : [ 00:06:29:ac:39:8a -> 00:06:29:ac:39:2a ] type 800
> (IP)
> IP header breakdown:
> < SRC = 64.20.240.240 >
> < DST = 198.83.19.241 >
> ip_v=4, ip_hl=20, ip_tos=0, ip_len=55, ip_id=17961, ip_off=0
> ip_ttl=119, ip_sum=f243, ip_p = 17 (UDP)
> UDP header breakdown:
> <source port=1554, <destination port=53(domain) >
> [ udp length = 35 | udp checksum = 2e63 ]
> DNS Packet breakdown:
> QUESTIONS:
> search.vu, type = A, class = IN
>
> The above query was not answered. Three secs. later this ip made
> another dns query, from port 1556, and it was answered. During this I
> was tracing both all requests to and from port 53, and all requests to
> and from the adaptor card. There were no other requests from this
> address on any other port.
>
> Also in the trace, I can see my box sending dns queries to other
> nameservers, and it is always port 53 -> port 53.
>
> Thanks, Susan
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list